OpenSSL FIPS Verifications

Examine ciphers

First run the FIPS container so it is listening to a port for an SSL connection. To view the ciphers used by the container, run the following from the host:

# update {port} with the port exposed by the image
nmap -sV --script ssl-enum-ciphers -p {port} localhost

The response should print the ciphers and their version. For example:

PORT     STATE SERVICE  VERSION
9443/tcp open  ssl/http nginx 1.27.4
|_http-server-header: nginx/1.27.4
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

FIPS module verification

To test that the OpenSSL FIPS provider module is configured, you will need to run the container as root and override the entrypoint at runtime. For example, for the Minimus FIPS NGINX image, the run command looks like this:

docker run -it --rm \
--user root --entrypoint openssl-fips-test \
reg.mini.dev/nginx-fips

The test results will print to the terminal for you to review. For example:

Checking OpenSSL lifecycle assurance.

        ✓ Self-test KAT_Integrity HMAC_Verify, 256 ... passed.
        ✓ Self-test KAT_Module_Integrity HMAC_Verify, 256, Module Integrity ... passed.
        ✓ Self-test KAT_Cipher AES_GCM_Encrypt, 256 ... passed.
        ✓ Self-test KAT_Cipher AES_GCM_Decrypt, 256 ... passed.
        ✓ Self-test KAT_Cipher AES_ECB_Decrypt, 256 ... passed.
        ✓ Self-test KAT_Cipher TDES_Decrypt, CBC ... passed.
        ✓ Self-test KAT_DRBG CTR, 128 ... passed.
        ✓ Self-test KAT_DRBG HASH, SHA-256 ... passed.
        ✓ Self-test KAT_DRBG HMAC, SHA-1 ... passed.
        ✓ Self-test KAT_KDF X942KDF, SHA-1 ... passed.
        ✓ Self-test KAT_KDF X963KDF, SHA-256 ... passed.
        ✓ Self-test KAT_KDF SSHKDF, SHA-1 ... passed.
        ✓ Self-test KAT_KDF TLS12_PRF, SHA-256 ... passed.
        ✓ Self-test KAT_KDF TLS13_KDF_EXTRACT, SHA-256 ... passed.
        ✓ Self-test KAT_KDF TLS13_KDF_EXPAND, SHA-256 ... passed.
        ✓ Self-test Continuous_RNG_Test RNG ... passed.
        ✓ Self-test KAT_Signature DSA_Verify, SHA-256 ... passed.
        ✓ Self-test KAT_Signature ECDSA_Prime_Sign, P-224 ... passed.
        ✓ Self-test KAT_Signature ECDSA_Prime_Verify, P-224 ... passed.
        ✓ Self-test KAT_Signature ECDSA_Binary_Sign, K-233 ... passed.
        ✓ Self-test KAT_Signature ECDSA_Binary_Verify, K-233 ... passed.
        ✓ Self-test KAT_Signature ECDSA_Brainpool_Sign, Brainpool ... passed.
        ✓ Self-test KAT_Signature ECDSA_Brainpool_Verify, Brainpool ... passed.
        ✓ Self-test Conditional_PCT ED448 ... passed.
        ✓ Self-test KAT_Signature EDDSA_Sign, Ed448 ... passed.
        ✓ Self-test Conditional_PCT ED448 ... passed.
        ✓ Self-test KAT_Signature EDDSA_Verify, Ed448 ... passed.
        ✓ Self-test Conditional_PCT ED25519 ... passed.
        ✓ Self-test KAT_Signature EDDSA_Sign, Ed25519 ... passed.
        ✓ Self-test Conditional_PCT ED25519 ... passed.
        ✓ Self-test KAT_Signature EDDSA_Verify, Ed25519 ... passed.
        ✓ Self-test Conditional_PCT RSA ... passed.
        ✓ Self-test KAT_Signature RSA_Sign, SHA-256 ... passed.
        ✓ Self-test Conditional_PCT RSA ... passed.
        ✓ Self-test KAT_Signature RSA_Verify, SHA-256 ... passed.
        ✓ Self-test KAT_KA KAS-ECC-SSC, P-256 ... passed.
        ✓ Self-test Conditional_PCT DH ... passed.
        ✓ Self-test KAT_KA KAS-FFC-SSC, FB (2048, 224) ... passed.
        ✓ Self-test KAT_KDF KDA HKDF, SHA-256 ... passed.
        ✓ Self-test KAT_KDF KDA OneStep, SHA-224 ... passed.
        ✓ Self-test KAT_KDF KBKDF, HMAC SHA-256 ... passed.
        ✓ Self-test KAT_KDF PBKDF2, SHA-256 ... passed.
        ✓ Self-test KAT_AsymmetricCipher KTS_RSA_Encrypt, KTS-OAEP 2048bit ... passed.
        ✓ Self-test Conditional_PCT RSA ... passed.
        ✓ Self-test KAT_AsymmetricCipher KTS_RSA_Decrypt, KTS-OAEP 2048bit ... passed.
        ✓ Self-test Conditional_PCT RSA ... passed.
        ✓ Self-test KAT_AsymmetricCipher KTS_RSA_Decrypt, CRT 2048bit ... passed.
        ✓ Self-test KAT_KEM KAS_RSA_SSC, 2048bit ... passed.
        ✓ Self-test KAT_Digest SHA3, 256 ... passed.
        ✓ Self-test KAT_Digest SHA2, 512 ... passed.
        ✓ Self-test KAT_Digest SHA1, SHA-1 ... passed.

        ✓ 51 out of 51 self-tests passed.
        ✓ Check FIPS cryptographic module is available... passed.
        ✓ Check FIPS approved only mode (EVP_default_properties_is_fips_enabled)... passed.
        ✓ Check non-approved algorithm blocked (HMAC-MD5)... passed.

Digests available for non-security use as per FIPS 140-3 I.G. 2.4.A (fips=no):
        ✓  MD5
        ✓  SHA1

Available approved algorithms for security purposes (fips=yes):
        ✗ MD5
        ✓ SHA-1
        ✓ SHA-2
        ✓ SHA-3
        ✓ DSA
        ✓ RSA
        ✓ ECDSA
        ✓ Ed25519
        ✗ DetECDSA
        ✗ ML-DSA
        ✗ SLH-DSA
        ✗ ML-KEM
        ✗ X25519MLKEM768
        ✗ SecP256r1MLKEM768

Public OpenSSL API (libssl.so & libcrypto.so):
        name:           OpenSSL 3.5.4 30 Sep 2025
        version:        3.5.4

FIPS cryptographic module provider details (fips.so):
        name:           140-3 FIPS Provider
        version:        3.0.0-FIPS 140-3
        build:          3.0.0-FIPS 140-3

Locate applicable CMVP certificate(s) at: CMVP Search

Compliance

FIPS

Verify Images

Examine ciphers

FIPS module verification

Compliance

FIPS

Verify Images

​Examine ciphers

​FIPS module verification

Examine ciphers

FIPS module verification